// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclRefUriInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:a.valid.uri:string",
"an/invalid/uri/string.aspx"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement);
}
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
new AuthnStatement()
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextDecl
}
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement);
}
public void ThrowsExceptionWhenAuthnContextFirstItemNotAuthnContextClassRef()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:a.valid.uri:string",
"urn:a.valid.uri:string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextDeclRef,
AuthnContextType.AuthnContextClassRef
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContextClassRef must be in the first element");
}
public void ThrowsExceptionWhenAuthnContextHasMoreThanTwoItems()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:a.valid.uri:string",
"urn:a.valid.uri:string",
"urn:a.valid.uri:string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextDeclRef,
AuthnContextType.AuthnContextDeclRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContext MUST NOT contain more than two elements.");
}
//ExpectedMessage = "AuthnContextClassRef has a value which is not a wellformed absolute uri")]
public void ThrowsExceptionWhenAuthnContextAuthnContextClassRefUriInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
string.Empty,
"urn:a.valid.uri:string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws(typeof(Saml20FormatException), () =>
{
validator.ValidateStatement(statement, true);
});
}
/// <summary>
/// Validates the <c>AuthnStatement</c>.
/// </summary>
/// <param name="authnStatement">The <c>AuthnStatement</c>.</param>
/// <exception cref="SAML2.Profiles.DKSAML20.DKSaml20FormatException">The DK-SAML 2.0 profile requires that the <c>\AuthnStatement\</c> element contains the <c>\SessionIndex\</c> attribute.</exception>
private void ValidateAuthnStatement(AuthnStatement authnStatement)
{
if (!Saml20Utils.ValidateRequiredString(authnStatement.SessionIndex))
{
throw new DKSaml20FormatException("The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute.");
}
}
public void ThrowsExceptionWhenAuthnContextAuthenticatingAuthorityUriInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
AuthenticatingAuthority = new[]
{
"urn:aksdlfj",
"urn/invalid"
},
Items = new object[]
{
"urn:a:valid.uri:string",
"http://another/valid/uri.string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement);
}
public void ThrowsExceptionWhenAuthnContextAuthenticatingAuthorityUriInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
AuthenticatingAuthority = new[]
{
"urn:aksdlfj",
"urn/invalid"
},
Items = new object[]
{
"urn:a:valid.uri:string",
"http://another/valid/uri.string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthenticatingAuthority array contains a value which is not a wellformed absolute uri");
}
public void ThrowsExceptionWhenAuthnContextHasMoreThanTwoItems()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:a.valid.uri:string",
"urn:a.valid.uri:string",
"urn:a.valid.uri:string"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextDeclRef,
AuthnContextType.AuthnContextDeclRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement, true);
}
public void AuthnStatement_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AuthnStatement authnStmt =
(AuthnStatement)Array.Find(saml20Assertion.Items, delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
// Mess around with the AuthnStatement.
{
string oldSessionIndex = authnStmt.SessionIndex;
authnStmt.SessionIndex = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute.");
authnStmt.SessionIndex = oldSessionIndex;
}
{
int index =
Array.FindIndex(authnStmt.AuthnContext.Items,
delegate(object o) { return(o is string && o.ToString() == "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"); });
object oldValue = authnStmt.AuthnContext.Items[index];
authnStmt.AuthnContext.Items[index] = "Hallelujagobble!!";
TestAssertion(saml20Assertion, "AuthnContextClassRef has a value which is not a wellformed absolute uri");
authnStmt.AuthnContext.Items[index] = oldValue;
}
// Remove it.
saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
saml20Assertion.Items = statements.ToArray();
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element.");
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
new AuthnStatement()
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextDecl
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContextDecl elements are not allowed in this implementation");
}
public void ThrowsExceptionWhenAuthnContextAuthnContextDeclRefUriInvalid()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:a.valid.uri:string",
"an/invalid/uri/string.aspx"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContextDeclRef has a value which is not a wellformed absolute uri");
}
/// <summary>
/// [SAML2.0std] section 2.7.2
/// </summary>
/// <param name="statement"></param>
private void ValidateAuthnStatement(AuthnStatement statement)
{
if (statement.AuthnInstant == null)
{
throw new Saml2FormatException("AuthnStatement MUST have an AuthnInstant attribute");
}
if (!Saml2Utils.ValidateOptionalString(statement.SessionIndex))
{
throw new Saml2FormatException("SessionIndex attribute of AuthnStatement must contain at least one non-whitespace character");
}
if (statement.SubjectLocality != null)
{
if (!Saml2Utils.ValidateOptionalString(statement.SubjectLocality.Address))
{
throw new Saml2FormatException("Address attribute of SubjectLocality must contain at least one non-whitespace character");
}
if (!Saml2Utils.ValidateOptionalString(statement.SubjectLocality.DNSName))
{
throw new Saml2FormatException("DNSName attribute of SubjectLocality must contain at least one non-whitespace character");
}
}
ValidateAuthnContext(statement.AuthnContext);
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public void ThrowsExceptionWhenAuthnInstantNull()
{
// Arrange
var statement = new AuthnStatement();
var validator = new Saml20StatementValidator();
statement.AuthnInstant = null;
// Act
validator.ValidateStatement(statement);
}
public void ThrowsExceptionWhenAuthnInstantNull()
{
// Arrange
var statement = new AuthnStatement();
var validator = new Saml20StatementValidator();
statement.AuthnInstant = null;
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnStatement MUST have an AuthnInstant attribute");
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.InResponseTo = authnRequest.ID;
samlResponse.Destination = authnRequest.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
samlAssertion.Conditions = new Conditions(new TimeSpan(0, 10, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(authnRequest.AssertionConsumerServiceURL));
samlAssertion.Conditions.ConditionsList.Add(audienceRestriction);
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = authnRequest.AssertionConsumerServiceURL;
subjectConfirmationData.NotBefore = samlAssertion.Conditions.NotBefore;
subjectConfirmationData.NotOnOrAfter = samlAssertion.Conditions.NotOnOrAfter;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public void ThrowsExceptionWhenAuthnContextNull()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement);
}
//ExpectedMessage = "AuthnStatement MUST have an AuthnInstant attribute")]
public void ThrowsExceptionWhenAuthnInstantNull()
{
// Arrange
var statement = new AuthnStatement();
var validator = new Saml20StatementValidator();
statement.AuthnInstant = null;
// Act
Assert.Throws(typeof(Saml20FormatException), () =>
{
validator.ValidateStatement(statement, true);
});
}
public void ThrowsExceptionWhenAuthnContextNull()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnStatement MUST have an AuthnContext element");
}
public void ThrowsExceptionWhenAuthnContextItemsNull()
{
// Arrange
var statement = new AuthnStatement
{
AuthnContext = new AuthnContext(),
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContext element MUST contain at least one AuthnContextClassRef, AuthnContextDecl or AuthnContextDeclRef element");
}
//ExpectedMessage = "AuthnStatement MUST have an AuthnContext element")]
public void ThrowsExceptionWhenAuthnContextNull()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws(typeof(Saml20FormatException), () =>
{
validator.ValidateStatement(statement, true);
});
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(SSOState ssoState)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
string issuerURL = CreateAbsoluteURL("~/");
Issuer issuer = new Issuer(issuerURL);
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = ssoState.authnRequest.ID;
subjectConfirmationData.Recipient = ssoState.assertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
// Attributes may be included in the SAML assertion.
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("Membership", SAMLIdentifiers.AttributeNameFormats.Basic, null, "Gold"));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
public void ThrowsExceptionWhenAuthnStatementSessionNotOnOrAfterInPast()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var statements = new List <StatementAbstract>(assertion.Items);
var authnStatement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(-1)
};
statements.Add(authnStatement);
assertion.Items = statements.ToArray();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
validator.ValidateTimeRestrictions(assertion, new TimeSpan());
}
public void ThrowsExceptionWhenAuthnContextItemsEmpty()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new List <object>().ToArray(),
ItemsElementName = new List <AuthnContextType>().ToArray()
};
var validator = new Saml20StatementValidator();
// Act
validator.ValidateStatement(statement);
}
public void ThrowsExceptionWhenAuthnContextItemsEmpty()
{
// Arrange
var statement = new AuthnStatement
{
AuthnInstant = DateTime.UtcNow,
SessionNotOnOrAfter = DateTime.UtcNow.AddHours(1)
};
statement.AuthnContext = new AuthnContext
{
Items = new List <object>().ToArray(),
ItemsElementName = new List <AuthnContextType>().ToArray()
};
var validator = new Saml20StatementValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateStatement(statement),
"AuthnContext element MUST contain at least one AuthnContextClassRef, AuthnContextDecl or AuthnContextDeclRef element");
}
/// <summary>
/// Builds the SAML response.
/// </summary>
/// <param name="authnRequest">The AuthnRequest object.</param>
/// <returns>A SAML Response object.</returns>
public static ComponentPro.Saml2.Response BuildResponse(Page page, AuthnRequest authnRequest)
{
ComponentPro.Saml2.Response samlResponse = new ComponentPro.Saml2.Response();
samlResponse.Destination = Global.AssertionServiceUrl;
Issuer issuer = new Issuer(GetAbsoluteUrl(page, "~/"));
samlResponse.Issuer = issuer;
if (page.User.Identity.IsAuthenticated)
{
samlResponse.Status = new Status(SamlPrimaryStatusCode.Success, null);
Assertion samlAssertion = new Assertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameId(page.User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.Id;
subjectConfirmationData.Recipient = Global.AssertionServiceUrl;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
}
else
{
samlResponse.Status = new Status(SamlPrimaryStatusCode.Responder, SamlSecondaryStatusCode.AuthnFailed, "The user is not authenticated at the identity provider");
}
return(samlResponse);
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return(samlResponse);
}
private string BuildSAML()
{
var strIssuer = queryParameters.FirstOrDefault(i => i.Key == "issuer").Value;
var member = queryParameters.FirstOrDefault(i => i.Key == "member").Value;
var userEmail = queryParameters.FirstOrDefault(i => i.Key == "userEmail").Value;
var cn = queryParameters.FirstOrDefault(i => i.Key == "cn").Value;
var uid = queryParameters.FirstOrDefault(i => i.Key == "uid").Value;
var pfxLocation = queryParameters.FirstOrDefault(i => i.Key == "pfxLocation").Value;
var pfxPwd = queryParameters.FirstOrDefault(i => i.Key == "pfxPwd").Value;
var samlResponse = new SAMLResponse();
samlResponse.Issuer = new Issuer(strIssuer);
samlResponse.Destination = strIssuer;
var samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = new Issuer(strIssuer);
samlAssertion.Subject = new Subject(new NameID(userEmail, null, null, SAMLIdentifiers.NameIdentifierFormats.EmailAddress, null));
samlAssertion.Conditions = new Conditions(new TimeSpan(1, 0, 0));
var authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.PasswordProtectedTransport);
samlAssertion.Statements.Add(authnStatement);
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("member", SAMLIdentifiers.AttributeNameFormats.Basic, null, member));
samlAssertion.Statements.Add(attributeStatement);
attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("mail", SAMLIdentifiers.AttributeNameFormats.Basic, null, userEmail));
samlAssertion.Statements.Add(attributeStatement);
attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("cn", SAMLIdentifiers.AttributeNameFormats.Basic, null, cn));
samlAssertion.Statements.Add(attributeStatement);
attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute("uid", SAMLIdentifiers.AttributeNameFormats.Basic, null, uid));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
if (true)
{
var x509Certificate = Util.LoadSignKeyAndCertificate(pfxLocation, pfxPwd);
var signedXml = new SignedXml(samlResponse.ToXml());
signedXml.SigningKey = x509Certificate.PrivateKey;
var keyInfo = new KeyInfo();
keyInfo.AddClause(new KeyInfoX509Data(x509Certificate));
signedXml.KeyInfo = keyInfo;
// Create a reference to be signed.
var reference = new Reference();
reference.Uri = "#" + samlAssertion.ID;
var env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
signedXml.AddReference(reference);
signedXml.ComputeSignature();
samlResponse.Signature = signedXml.GetXml();
}
var result = samlResponse.ToXml().OuterXml.ToString();
File.WriteAllText("SAMLPayload.xml", result);
return(Util.EncodeToBase64(result));
}
// Create a SAML response with the user's local identity.
private SAMLResponse CreateSAMLResponse()
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(Configuration.Issuer);
samlResponse.Issuer = issuer;
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
// For simplicity, a configured Salesforce user name is used.
// NB. You must update the web.config to specify a valid Salesforce user name.
// In a real world application you would perform some sort of local to Salesforce identity mapping.
Subject subject = new Subject(new NameID(Configuration.SalesforceLoginID, null, null, SAMLIdentifiers.NameIdentifierFormats.Unspecified, null));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
Conditions conditions = new Conditions(new TimeSpan(1, 0, 0));
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audiences.Add(new Audience(audienceURI));
conditions.ConditionsList.Add(audienceRestriction);
samlAssertion.Conditions = conditions;
subjectConfirmationData.NotOnOrAfter = conditions.NotOnOrAfter;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Unspecified);
samlAssertion.Statements.Add(authnStatement);
AttributeStatement attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.SSOStartPage, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Login.aspx")));
attributeStatement.Attributes.Add(new SAMLAttribute(AttributeNames.LogoutURL, SAMLIdentifiers.AttributeNameFormats.Unspecified, null, CreateAbsoluteURL("~/Logout.aspx")));
samlAssertion.Statements.Add(attributeStatement);
samlResponse.Assertions.Add(samlAssertion);
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
try
{
#region Custom Attributes
// If you need to add custom attributes, uncomment the following code
var attributeStatement = new AttributeStatement();
attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("email", SamlAttributeNameFormat.Basic, null,
"*****@*****.**"));
attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("FirstName", SamlAttributeNameFormat.Basic, null,
"John"));
attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("LastName", SamlAttributeNameFormat.Basic, null, "Smith"));
if (Session["username"] != null && Session["previoususername"] != null)
{
if (!Session["username"].ToString().ToLower().Equals(Session["previoususername"].ToString().ToLower()))
attributeStatement.Attributes.Add(new Atp.Saml2.Attribute("samlsessionstate", SamlAttributeNameFormat.Basic, null, "new"));
}
#endregion
// Set External Account Id for Metanga
var externalAccountId = "XAF10964";
if (Session["username"] != null)
{
externalAccountId = Session["username"].ToString();
}
else
{
Session["username"] = externalAccountId;
Session["previoususername"] = externalAccountId;
}
var consumerServiceUrl = Helper.GetUrl("LinkSelfcareLogin");
// Use the local user's local identity.
var subject = new Subject(new NameId(User.Identity.Name)) {NameId = {NameIdentifier = externalAccountId}};
subject.SubjectConfirmations.Add(new SubjectConfirmation(SamlSubjectConfirmationMethod.Bearer)
{
SubjectConfirmationData = new SubjectConfirmationData { Recipient = consumerServiceUrl }
});
// Create a new authentication statement.
var authnStatement = new AuthnStatement
{
AuthnContext = new AuthnContext
{
AuthnContextClassRef = new AuthnContextClassRef(SamlAuthenticateContext.Password)
}
};
var issuer = new Issuer(GetAbsoluteUrl("~/"));
var samlAssertion = new Assertion { Issuer = issuer, Subject = subject };
samlAssertion.Statements.Add(authnStatement);
samlAssertion.Statements.Add(attributeStatement);
// Get the PFX certificate with Private Key.
var filePath = Path.Combine(HttpRuntime.AppDomainAppPath, "metangasso.pfx");
const string pwd = "123";
var x509Certificate = new X509Certificate2(filePath, pwd, X509KeyStorageFlags.MachineKeySet);
if (!x509Certificate.HasPrivateKey)
return;
// Create a SAML response object.
var samlResponse = new Response
{
// Assign the consumer service url.
Destination = consumerServiceUrl,
Issuer = issuer,
Status = new Status(SamlPrimaryStatusCode.Success, null)
};
// Add assertion to the SAML response object.
samlResponse.Assertions.Add(samlAssertion);
// Sign the SAML response with the certificate.
samlResponse.Sign(x509Certificate);
var targetUrl = Helper.GetUrl("LinkSelfcareBilling") + "?SSO=true";
if (Session["SsoLink"] != null)
{
targetUrl = Session["SsoLink"].ToString();
}
// Send the SAML response to the service provider.
samlResponse.SendPostBindingForm(Response.OutputStream, consumerServiceUrl, targetUrl);
}
catch (Exception exception)
{
Trace.Write("IdentityProvider", "An Error occurred", exception);
}
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns>The <see cref="Assertion"/>.</returns>
public static Assertion GetBasicAssertion()
{
var assertion = new Assertion
{
Issuer = new NameId(),
Id = "_b8977dc86cda41493fba68b32ae9291d",
IssueInstant = DateTime.UtcNow,
Version = "2.0"
};
assertion.Issuer.Value = GetBasicIssuer();
assertion.Subject = new Subject();
var subjectConfirmation = new SubjectConfirmation
{
Method = SubjectConfirmation.BearerMethod,
SubjectConfirmationData =
new SubjectConfirmationData
{
NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0),
Recipient = "http://borger.dk"
}
};
assertion.Subject.Items = new object[] { subjectConfirmation };
assertion.Conditions = new Conditions {
NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0)
};
var audienceRestriction = new AudienceRestriction {
Audience = GetAudiences().Select(u => u.ToString()).ToList()
};
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext
{
Items = new object[]
{
"urn:oasis:names:tc:SAML:2.0:ac:classes:X509",
"http://www.safewhere.net/authncontext/declref"
},
ItemsElementName = new[]
{
AuthnContextType.AuthnContextClassRef,
AuthnContextType.AuthnContextDeclRef
}
};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
var surName = new SamlAttribute
{
FriendlyName = "SurName",
Name = "urn:oid:2.5.4.4",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Fry" }
};
var commonName = new SamlAttribute
{
FriendlyName = "CommonName",
Name = "urn:oid:2.5.4.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "Philip J. Fry" }
};
var userName = new SamlAttribute
{
Name = "urn:oid:0.9.2342.19200300.100.1.1",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "fry" }
};
var email = new SamlAttribute
{
FriendlyName = "Email",
Name = "urn:oid:0.9.2342.19200300.100.1.3",
NameFormat = SamlAttribute.NameformatUri,
AttributeValue = new[] { "*****@*****.**" }
};
attributeStatement.Items = new object[] { surName, commonName, userName, email };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return(assertion);
}
// Create a SAML response with the user's local identity, if any, or indicating an error.
private SAMLResponse CreateSAMLResponse(AuthnRequest authnRequest)
{
Trace.Write("IdP", "Creating SAML response");
SAMLResponse samlResponse = new SAMLResponse();
samlResponse.Destination = Configuration.AssertionConsumerServiceURL;
Issuer issuer = new Issuer(CreateAbsoluteURL("~/"));
samlResponse.Issuer = issuer;
if (User.Identity.IsAuthenticated) {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Success, null);
SAMLAssertion samlAssertion = new SAMLAssertion();
samlAssertion.Issuer = issuer;
Subject subject = new Subject(new NameID(User.Identity.Name));
SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLIdentifiers.SubjectConfirmationMethods.Bearer);
SubjectConfirmationData subjectConfirmationData = new SubjectConfirmationData();
subjectConfirmationData.InResponseTo = authnRequest.ID;
subjectConfirmationData.Recipient = Configuration.AssertionConsumerServiceURL;
subjectConfirmation.SubjectConfirmationData = subjectConfirmationData;
subject.SubjectConfirmations.Add(subjectConfirmation);
samlAssertion.Subject = subject;
AuthnStatement authnStatement = new AuthnStatement();
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.AuthnContextClassRef = new AuthnContextClassRef(SAMLIdentifiers.AuthnContextClasses.Password);
samlAssertion.Statements.Add(authnStatement);
samlResponse.Assertions.Add(samlAssertion);
} else {
samlResponse.Status = new Status(SAMLIdentifiers.PrimaryStatusCodes.Responder, SAMLIdentifiers.SecondaryStatusCodes.AuthnFailed, "The user is not authenticated at the identity provider");
}
Trace.Write("IdP", "Created SAML response");
return samlResponse;
}
